Forefront Client Security
Upcoming SlideShare
Loading in...5

Forefront Client Security






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Categories: Includes secure access solutions and enterprise-class anti-malware: <br /> Products: <br /> Forefront Client Security (formerly called Microsoft Client Protection) <br /> Forefront Security for Exchange Server (currently called Microsoft Antigen for Exchange) <br /> Forefront Security for SharePoint (currently called Microsoft Antigen for SharePoint) <br /> Microsoft Antigen for Instant Messaging <br /> Microsoft Internet Security and Acceleration (ISA) Server 2006 <br /> Brand may be new, however the technology old: <br /> - ISA technology was first launched in 1996 <br /> Whale technology first shipped in 1998 <br /> The new Forefront Server Security products (prev. Antigen) will be v10 <br /> Forefront Client Security is built on the same highly successful Microsoft protection technology already used in products such as Windows Live™ OneCare™, Windows® Defender and Microsoft Forefront Security for Exchange Server. <br />
  • While Forefront is a key component of Microsoft’s strategy for providing end-to-end security for business customers, numerous other products and initiatives play significant roles in Microsoft’s vision of a well-managed and secure network infrastructure. <br /> Information Protection – Talk about RMS, EFS, BitLocker <br /> Identity Management – CLM, AD, MIIS <br /> Systems Management – SMS, WSUS, MOM <br /> Operating System – Foundation - XPSP2, Vista, Longhorn. <br /> Microsoft’s Network Access Protection (NAP), built into Vista and Longhorn, automatic validation and remediation of the security “health” of devices on your network. Devices are quarantined from the network until they are automatically brought back into compliance. <br /> Biggest area of vulnerability lies in one of most commonly used applications is the browser, and with Internet Explorer 7, especially in conjunction with Vista, new levels of security are enabled through Protected Mode (IE runs very low privilege) <br /> Last but not least, Microsoft offers wide range of technical and industry-specific guidance ensure solutions deployed correctly and in a manner most likely to provide the business benefits you are trying to realize. <br />
  • Windows Defender: A free program that helps protect your computer against pop-ups, security threats caused by spyware and other unwanted software. <br />   <br /> Windows Live OneCare Safety Scanner: A free web service that individuals can use to help ensure the health of their PC.  In addition to checking for and removing viruses, Windows Live Safety Center includes tools for improving PC performance. Learn more about Windows Live OneCare Safety Scanner at <br />   <br /> Windows Live OneCare: An all-in-one, automatic and self-updating PC care service designed to help consumers more easily protect and maintain their PCs. Windows Live OneCare is available for an annual subscription rate of $49.95 MSRP for up to three personal computers <br />   <br /> Malicious Software Removal Tool (MSRT): A tool that complements traditional antivirus technologies by helping to identify and remove the most prevalent viruses and worms from customer computers. It is available at no charge to licensed Windows users. Microsoft releases an updated version of this tool on the second Tuesday of each month. <br />
  • Unified Protection <br /> Microsoft Forefront Client Security is built just for this…..provides unified malware protection that is easier to manage and control. <br /> Built on the same highly successful Microsoft protection technology already used by millions of people worldwide, Forefront Client Security helps guard against emerging threats such as spyware and rootkits as well as traditional threats such as viruses, worms and Trojan horses. <br /> Simplified administration <br /> Through single management console provides control over client settings, and integrates with existing infrastructure software, such as Active Directory, and complements other Microsoft security technologies for better protection and greater control. <br /> Visibility and Control <br /> Critical visibility into threats and vulnerabilities, ability to view reports and stay informed about your environment. <br /> Greater confidence about what you believe the state of your environment to be. <br />
  • Windows Filter Manager <br /> Microsoft’s prescribed scanning platform - security vendors can apply “mini-filter” technology to scan malware in real time. <br /> Other anti-spyware solutions detect malware in user mode level - more reactive approach to detection have to allow spyware to first run before detect and scan. By using Windows Filter Manager, FCS is able to scan both virus and spyware files before they run. <br /> The other benefit to using the Windows Filter Manager is that end user disruption minimized during real-time scans of both viruses and spyware. <br />
  • If we look at the Management Model, there are 4 key tasks an administrator must take when using FCS to ensure that systems are protected: <br /> Define security steady state – This includes the definition of client security policy for systems in the environment <br /> Keep systems up to date – Ensuring that the distribution systems are in place to receive signatures from Microsoft Update and to then distribute those signatures to the systems in the environment <br /> View Reports – Understanding what is the security state of the environment and whether it has improved or worsened over time <br /> Respond to Alerts – Quickly identifying what are the critical events to which the administrator must respond in order to get the environment back to its baseline. <br />
  • Choice of 3 integrated policy profile deployment methods <br /> Forefront Client Security allows customers to use from 3 different methods for profile deployment. <br /> Microsoft Forefront Client Security console (AD/GP) – within the console there is the option of selecting machines for targeting based on domains, sites, and organization units with the added ability to make exceptions to policy based on security groups. FCS will work in the background to create a Group Policy object and target the container selected. Using this preferred option simplifies administration, while providing for the level of control needed to ensure systems are protected. <br /> ADM File – If so desired, an ADM file can be used along with the Group Policy Management console for advanced targeting and customization. <br /> Use existing software distribution systems – The third choice is to use an existing software distribution. Within the console there is an option to export a desired policy to a file. Once exported, the file can be used to apply those settings through the software distribution system. <br />
  • Client Security Console <br /> When using the Client Security console, customers will benefit from having a single place to create and deploy policy to their environment. The key differentiating benefit is the ability to see profile compliance reports, which allow for verifying that systems have the latest version of the policy that has been deployed to them. <br /> GPMC <br /> GPMC allows for greater targeting granularity since a single machine can be targeted for policy deployment. Nonetheless, since the Client Security console has no knowledge of policies that have been created with GPMC, it will not be able to show policy compliance information which is the ability to ensure that systems have the correct and most up to date policy applied to them. <br /> Existing SW Distribution system <br /> Once policies are exported using the Client Security console, the exported file can be used to deploy policies to systems. Using existing software distribution systems, customers can take advantage of single machine targeting, but since the Client Security console has no knowledge of policies that have been deployed with the software distribution system, it will not be able to show policy compliance information, which is the ability to ensure that systems have the correct and most up to date policy applied to them. <br />
  • FCS is optimized for use with Windows Server Update Services. <br /> In typical Client Security environments, a local WSUS Server will be responsible for downloading antimalware definitions from Microsoft Update. <br /> Systems running the Client Security agent can obtain their definitions from WSUS, rather than each making an individual Microsoft Update (MU) request. <br /> WSUS allows administrators to approve updates, which helps customers who want to test updates with a targeted group of machines before broad deployment. <br /> When Client Security is installed, an Update Assistant for WSUS is also installed. This Update Assistant will increase the sync frequency between WSUS and MU to an hourly basis allowing for quick synchronization of available updates. Additionally, the Update Assistant will check in with WSUS on an hourly basis for any available antimalware definitions. <br /> For systems which are often disconnected from the corporate environment and without access to the WSUS Server, the client agent can be configured to failover directly to Microsoft Update. This helps ensure that disconnected systems such as those of a remote sales force are always up to date. <br />
  • FCS is built on MOM 2005 technology and uses SQL Reporting Services, which many customers may already be familiar with. The required MOM 2005 components are included as part of FCS to simplify deployment and use. <br />
  • One of the great features of FCS is alerting as threats appear. Client Security policies can have different alert settings, which is especially important since administrators may want to configure alerts based on the assets that are being protected. <br /> Using the simple controls in Client Security helps administrators to save time by selecting the level of alerts that they want to see from different types of machines, rather than digging through and triaging alerts across their environment. <br />
  • Using the layered, integrated protection Microsoft technologies offer, administrators can unify client security, simplify its administration, and get more out of existing infrastructure. <br /> The three-dimensional secure client solution can be implemented incrementally without having to deploy separate management infrastructures. For example, administrators can start evaluating and implementing Server and Domain Isolation today (on Windows XP and Windows Server 2003). Then they can deploy Forefront Client Security on their existing Windows XP hosts and roll out Windows Vista as part of the organization’s client hardware refresh cycle (with Forefront Client Security part of the standard desktop image). <br /> All three dimensions of the secure client solution described here make use of Active Directory for policy management and distribution. Each of three security controls complements the defenses of the others in the true spirit of a defense-in-depth security strategy. As these hosts join the Active Directory domain, they automatically receive the policy settings for all three components, which reduces the complexity of deployment. <br /> The end result is a simplified yet comprehensive client security solution that helps protect your business effectively and efficiently. <br />

Forefront Client Security Forefront Client Security Presentation Transcript

  • Gary Verster Microsoft Corporation
  • • The Security Environment • Tenets of Microsoft Security Product Line • Microsoft Forefront • Microsoft Forefront Client Security • Three Dimensions to Securing Clients
  • More advancedMore advanced More frequentMore frequent Profit motivatedProfit motivated Application-orientedApplication-oriented Too many pointToo many point productsproducts Poor interoperabilityPoor interoperability Lack of integrationLack of integration Multiple consolesMultiple consoles Uncoordinated eventUncoordinated event reporting & analysisreporting & analysis Cost and complexityCost and complexity
  • Protect Information andProtect Information and Control Access atControl Access at Operating systemOperating system Server applicationsServer applications Network “edge”Network “edge” ContentContent HeterogeneityHeterogeneity Third-party productsThird-party products Secure custom appsSecure custom apps 24/7 security research and24/7 security research and responseresponse Unified view and analyticsUnified view and analytics Reduced number ofReduced number of management consolesmanagement consoles Simplified deploymentSimplified deployment Appliances and appliance-Appliances and appliance- like experiencelike experience Technical and industryTechnical and industry guidanceguidance Simplified licensingSimplified licensing Cross-product integrationCross-product integration MSFT security productsMSFT security products MSFT server applicationsMSFT server applications Integration with MicrosoftIntegration with Microsoft IT infrastructureIT infrastructure Active Directory®, SQLActive Directory®, SQL Server™, OperationsServer™, Operations Manager, etc.Manager, etc. Integration with ecosystemIntegration with ecosystem partners and custom appspartners and custom apps
  • AA comprehensive line of business securitycomprehensive line of business security productsproducts that helps you gain greaterthat helps you gain greater protectionprotection through deepthrough deep integrationintegration and simplifiedand simplified managementmanagement
  • GuidanceGuidance DeveloperDeveloper ToolsTools SystemsSystems ManagementManagementActive Directory FederationActive Directory Federation Services (ADFS)Services (ADFS) IdentityIdentity ManagementManagement ServicesServices InformationInformation ProtectionProtection Encrypting File System (EFS) Encrypting File System (EFS) BitLocker™ BitLocker™ Network Access Protection (NAP) Network Access Protection (NAP) Client andClient and Server OSServer OS ServerServer ApplicationsApplications EdgeEdge
  • Remove mostRemove most prevalent virusesprevalent viruses Remove allRemove all known virusesknown viruses Real-timeReal-time antivirusantivirus Remove allRemove all known spywareknown spyware Real-timeReal-time antispywareantispyware Central reporting andCentral reporting and alertingalerting CustomizationCustomization MicrosoftMicrosoft Forefront ClientForefront Client SecuritySecurityMSRTMSRT WindowsWindows DefenderDefender Windows LiveWindows Live OneCare SafetyOneCare Safety ScannerScanner Windows LiveWindows Live OneCareOneCare IT InfrastructureIT Infrastructure IntegrationIntegration FOR INDIVIDUAL USERSFOR INDIVIDUAL USERS FOR BUSINESSESFOR BUSINESSES
  • One solution for spyware and virus protection State Assessment Built on protection technology used by millions worldwide Effective threat response One console for simplified security administration Define one policy to manage client protection agent settings Integrates with your existing infrastructure One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control
  • One engine for virus and spyware protection Used in Windows® Defender, OneCare, Forefront Server Security, etc. Compatible with NAP through Windows Security Center Engine detection and removal capabilities include: Real-time, scheduled or on-demand detection & removal Real-time detection uses Windows Filter Manager technology Checks to ensure system is fully functional after cleaning Scanning dozens of archives and packers Scans for rootkits Behavior analysis and polymorphic viruses Heuristic detections for new malware and variants
  • Tight integration with MSRC and other support processes Dedicated team with automated analysis and testing Multiple data sources enabling advanced threat telemetry Deliver malware definition updates for: Forefront Client Security, Forefront Server Security Windows Live OneCare, Windows Defender Develop core anti-malware engine in Forefront and OneCare Develop Windows Malicious Software Removal Tool
  • Define security steady state Specify the ongoing security behavior of my clients Keep systems up-to-date Ensure that clients have the latest signatures View reports Determine the security state, now and over time Respond to alerts What critical security events require my attention?
  • One console for simplified security administration One policy to manage client protection agent settings, e.g.: Choice of 3 integrated policy profile deployment methods: Microsoft Forefront Client Security Console (uses AD/GP) ADM file (uses AD/GP) Export to a file then use existing software distribution system Anti-spyware unknown action Alert level Event and logging settings SpyNet reporting on/off Level of end-user UI shown Scan schedule Real time protection on/off Signature update frequency Anti-spyware signature overrides Security state assessment settings
  • *Agents deployed via existing software distribution system Client SecurityClient Security ConsoleConsole GPMCGPMC Existing SW DistExisting SW Dist SystemSystem Infrastructure used Targeting granularity Policy distribution via Policy exceptions Policy compliance report AD/GP AD/GP SW dist system OU-level Single machine Single machine Security Groups Unlimited Unlimited Yes No No Console GPMC, using ADM file Exported files
  • Signature deployment optimized for Windows Server Update Services (WSUS) Can use any software distribution system Auto and manual approval of definitions Client Security installs an Update Assistant service to: Increase sync frequency between WSUS and Microsoft Update (MU) for definitions Support for roaming users Failover from WSUS to Microsoft Update MalwareMalware ResearchResearch Microsoft UpdateMicrosoft Update WSUS +WSUS + UpdateUpdate AssistantAssistant SyncSync SyncSync ® Desktops, Laptops and ServersDesktops, Laptops and Servers FailoverFailover
  • One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts
  • Enables focus on threats and possible vulnerabilities State assessment scans determine which machines: Need to be patched Are configured insecurely Report categories include: Built on MOM 2005 technology Uses SQL™ Reporting Services Malware Threat(s)Malware Threat(s) Vulnerability SummaryVulnerability Summary Scan ResultsScan Results Historical InformationHistorical Information Summary ReportSummary Report DeploymentDeployment AlertsAlerts ComputersComputers
  • Security SummarySecurity SummarySecurity SummarySecurity Summary
  • “Is my environment compliant with security best practices?” “Has my level of vulnerability exposure changed over time?” “What portion of my environment is at high risk?”
  • Alert configuration is policy specific Alerts notify admin of high-value incidents, including: Alert levels control type & volume of alerts generated 11 55443322 Outbreak Malware removal failed Signature update failed Malware detected and removed Signature update failed (per min) Rich Data, High Value Assets Critical Issues Only, Low Value Assets Malware detectedMalware detected Malware failed to removeMalware failed to remove Malware outbreakMalware outbreak Malware protection disabledMalware protection disabled
  • • Public beta available now! – Download at – Community-based support at • Release To Manufacture planned for Q2 CY2007 • Will be available through Microsoft’s volume licensing programs
  • User Account ControlUser Account Control IE7 with Protected ModeIE7 with Protected Mode Randomize Address SpaceRandomize Address Space LayoutLayout Advanced DesktopAdvanced Desktop FirewallFirewall Kernel Patch ProtectionKernel Patch Protection (64bit)(64bit) Unified Virus & SpywareUnified Virus & Spyware ProtectionProtection Central ManagementCentral Management Reporting, Alerting andReporting, Alerting and State AssessmentState Assessment Infrastructure SoftwareInfrastructure Software IntegrationIntegration Policy Based NetworkPolicy Based Network SegmentationSegmentation Restrict-To-Trusted NetRestrict-To-Trusted Net CommunicationsCommunications Server and DomainServer and Domain Isolation (SD&I)Isolation (SD&I) CombinedCombined SolutionSolution Windows Vista™Windows Vista™ Forefront™Forefront™ Client SecurityClient Security
  • • Unified Virus & Spyware Protection • Simplified Administration • Critical Visibility & Control • An integral part of Microsoft Forefront™ • Better together with Windows Vista™ and S&DI Download now!Download now!
  • Thank you to our Partners for their support of TechDays 2007